How to engage senior management and key stakeholders

By Gary Duncan, 2 June 2025

Influencing decision-makers and engaging with senior leadership and key stakeholders is all about messaging. But what if compliance can’t always get that message across?

In a recent ICA Member Webinar, Pekka Dare, ICA President, and Paul Coady, Founder and CEO of ComplianceLnD, explained how compliance teams can manage stakeholder expectations, build strong relationships with senior management and get their messages heard.

‘Sometimes, people don’t respond,’ Dare said. ‘Or they hear us as white noise.’

So, how can compliance be heard and get practical strategies in place in the real world, not just with senior management, but with all stakeholders in the organisation?

Coady said it’s about bringing two different worlds together.

‘Sometimes we have situations where the technical experts don’t necessarily appreciate the people side and the people experts and the learning and development experts don’t necessarily understand the technical side,’ he explained.

To improve engagement with stakeholders, Coady highlighted a few areas for compliance teams to focus on, including risk responsibility versus accountability, navigating rationalisation, and balancing influence and direct control.

Risk responsibility versus accountability

To understand risk responsibility and accountability, compliance must first understand how the three lines of defence work in practice.

Coady asked a simple question: who owns the financial crime risk in your organisation? Is it everyone, the business units, the financial crime function in the second line of defence, or the actual head of financial crime?

He said he recently put the same question to several hundred people in a meeting, and only one person got it right.

‘The thing I keep harping on about and keep pushing is that I don’t believe in the industry, in any industry, that we fully understand the three lines of defence,’ he said. ‘We’ve been conditioned to believe that everyone has ownership – and that’s wrong. Everyone does have responsibility, but the ownership of risk actually sits with the business units.’

Dare said there’s a huge difference between responsibility and accountability and ownership.

At the ICA, he said, there has been a big push in the past few years to change that mindset – to underscore that it’s the business, and not the compliance function, that owns the risk. ‘That’s such a huge cultural change,’ he said.

Navigating rationalisation

The discussion moved on to the issue of rationalisation, or how individuals justify their decision-making.

To illustrate the challenges that this can create, Coady cited the example of a water station he saw in Dublin airport. There were no staff and no CCTV, but the instructions were clear: if you take a bottle of water, you must pay one euro into an honesty box.

In such situations, some people will pay and some will not. The point, he said, is that even with the right controls and clear instructions, some people still choose to do the wrong thing.

Some will try to rationalise their decision not to pay by saying there should have been better controls in place or that they’ve already paid a lot of money for their flight and it’s ‘only’ a bottle of water.

This is important when it comes to stakeholder engagement, Coady said, because when people do bad things, they don’t necessarily believe they’re doing wrong. In this case, 92% of people did pay for their water. A decent return, but Coady was more concerned about the other 8%.

That 8% is a problem for an organisation that rolls out a new compliance policy and needs everyone to comply. ‘What if 8% is the magic number?’ Coady asked. ‘What if 8% of your people won’t do the right thing, even though you’ve been crystal clear with them?’

For global financial services companies with huge workforces, he said, 8% could mean that up to 18,000 employees do not comply.

Balancing influence and direct control

Coady cited a letter from ‘Mary’, the global head of compliance at a fictional firm, to highlight how not to get the right balance between influence and direct control. Informing her team of a new compliance strategy, the gist of the letter was, ‘I’m the head of compliance, you all work for me and this is what we’re doing!’

It’s an exaggeration to prove a point, but some people do use that type of language in the workplace, Coady said.

‘I’ve seen it where the person who is a head of a department comes in and basically dictates exactly what’s going to happen without listening, without engaging their stakeholders, without taking account of their stakeholders’ needs and worries and risks,’ he said. ‘I don’t understand it, but as they become more senior they think they need to become more controlling and more dictatorial. But that’s not the way we’re going to manage these things effectively.’

Building stakeholder engagement

Coady said credibility is key to improving engagement. 

A lot of people make the mistake of going into a meeting with senior managers and stakeholders who don’t know who they are.

‘If you want to effectively engage people, if you want to grasp their attention, the first thing they need to know is that you’re the right person to be talking about this,’ he said.

It’s also important in meetings for compliance to explain the risks and consequences upfront.

‘Always start with the risks and consequences,’ Coady said. ‘I’ve seen so many people make this mistake of not talking about it upfront. It’s an uncomfortable conversation, so they leave it till the end. If you bring it in at the start, particularly if it’s serious consequences, you’ll get their engagement from the outset.’

Key takeaway

Coady advised anyone in the risk, compliance and financial crime functions to really think about what they need to know – and not to assume they already know it.

‘Let’s take the three lines of defence as an example,’ he said. ‘We asked you a polling question, and you’re all in the compliance, risk and financial crime world – you’re the people who should know this. It’s not your fault that the polling question went that way.’

The reason, he explained, is that organisations are conditioning people to think a certain way, and they’re not spending enough time to make sure they actually understand the foundations of risk and compliance.

‘Don’t assume people have that underlying knowledge,’ he said. ‘People come into roles and we assume they’ve got it, but in a lot of cases they don’t.’